Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
972
Views
0
Helpful
19
Replies

Inter VLAN routing - Layer 3 stwtch

Dario Francesco Vanin
Level 1
Level 1

‎04-14-2013 09:27 PM - edited ‎03-04-2019 07:35 PM

Hi guys,

I am tryingto add a new VLAN on my C3560E Layer 3 switch for administration purpose.

My goal is to make this VLAN for administration only and to let the administrators from 172.17.1.1 connect to any host of the internal network 172.16.0.0 plus exit to the internet via the default gateway 172.16.1.245.

Here an extract of what done so far:

ip routing

spanning-tree mode pvst

spanning-tree extend system-id

vlan internal allocation policy ascending

!

interface GigabitEthernet0/1

switchport mode access

!

interface GigabitEthernet0/2

switchport access vlan 30

switchport mode access

!

interface Vlan1

ip address 172.16.0.75 255.255.0.0

!

interface Vlan30

ip address 172.17.1.1 255.255.255.0

!

ip default-gateway 172.16.1.245

!

Output of show ip route:

Gateway of last resort is not set

      172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks

C        172.16.0.0/16 is directly connected, Vlan1

L        172.16.0.75/32 is directly connected, Vlan1

      172.17.0.0/16 is variably subnetted, 2 subnets, 2 masks

C        172.17.1.0/24 is directly connected, Vlan30

L        172.17.1.1/32 is directly connected, Vlan30

What happened is that:

1. The host connected to Vlan30 can correctly ping the interface it is connected to.

2, The internal network can access the internet

3. The host connected to VLAN30 cannot access the internet and cannot connect to any internal server.

Any suggestion? Do I have to add a static route?

This is a production envuironment and it is my first experiment with a layer3 switching in production, so I cannot mistake :-)

Thanks,

Dario Vanin

Labels:
0 Helpful
19 Replies 19

Dario Francesco Vanin
Level 1
Level 1
In response to Dario Francesco Vanin

‎04-14-2013 11:17 PM

Hi Bidal,

Just a qusestion: does it mean that all the traffic coming from VLAN30 will then pass through the firewall? If so, that is not feasible as I will have then to make many vlans and that would mean to overload the Gbps cable betweek the switch and the Firewall...

Thanks,

Dario

0 Helpful

Bilal Nawaz
VIP Alumni
VIP Alumni
In response to Dario Francesco Vanin

‎04-14-2013 11:22 PM

Not all traffic will go thorough the FW, only Internet bound traffic from vlan 30. You do not need to create another vlan on the firewall. Just one route telling the firewall how to get to vlan 30.
Please make sure your FW has rules to accept traffic from this vlan.

Also from vlan 1 if you needed to get to vlan 30 this will go through the FW but you can block this with an ACL.

In my view it can only work this way in this particular case.

Hope this helps

Sent from Cisco Technical Support iPhone App

Please rate useful posts & remember to mark any solved questions as answered. Thank you.
0 Helpful

Bilal Nawaz
VIP Alumni
VIP Alumni
In response to Dario Francesco Vanin

‎04-14-2013 11:27 PM

All internet traffic will be going through that single Gig link anyway. You must have a lot of traffic to saturate that link.

Sent from Cisco Technical Support iPhone App

Please rate useful posts & remember to mark any solved questions as answered. Thank you.
0 Helpful

Dario Francesco Vanin
Level 1
Level 1
In response to Bilal Nawaz

‎04-14-2013 11:47 PM

Hi Bilal,

I was told that Layer3 switches could route the traffic internally. I am happy if the traffic destined to the internet to the internet are routed through the firewall but I can't get why all the traffic to the VLAN1 could not be routed internally...

By the way, the cable between the Switch and the firewall is not trunk, so it is not accepting encapsulated packets :-)

0 Helpful

Bilal Nawaz
VIP Alumni
VIP Alumni
In response to Dario Francesco Vanin

‎04-14-2013 11:55 PM

Yes you are correct, this is intervlan routing. BUT your problem is that your default gateway for vlan 1 is on the firewall, therefore you are not doing intervlan routing on the switch!

When you ping from a pc in vlan 1 to vlan 30 the default gateway for that PC is the firewall, so it sends the packets to the firewall, but your firewall does not know where vlan 30 is, so it drops the packet.

Whereas if you had the gateway set to be your switch, then your pc would send packets to the 3560, and IT would do the routing, this is the intervlan routing.

This is the only way to get pings going between vlans. Or a static route on the firewall which you'll need anyway!

The route on the firewall will also serve your Internet traffic for vlan 30 but will be routed back to your switch.

There are a few design problems in this scenario, hence we are using workarounds.

Hope that explains better

Sent from Cisco Technical Support iPhone App

Please rate useful posts & remember to mark any solved questions as answered. Thank you.
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card